Open a micro letter and sweep a two-dimensional code
Subscribe to our WeChat public number
Turn on the phone and sweep the two-dimensional code
You can access the website and share it with your friends through a mobile phone
China released a Regulation on Security Protection of Critical Information Infrastructure (the “Regulation”) on July 30, 2021, aiming to provide special protections to critical information infrastructure (the “CII”), which is to be effective from September 1, 2021 together with the Data Security Law. It is the latest move of China to strengthen its IT infrastructure security and cyberspace regulations after the promulgation of the Cybersecurity Law.
1. What is CII?
The Regulation stipulates that CII refers to those critical IT network facilities and information systems of key industries and sectors, such as public communication and information service, energy, transport, water conservancy, finance, public service, e-government and national defense science and technology industry, and other critical IT network facilities and information systems that, once damaged, disabled or data leaked, may severely endanger national security, national economy, people’s livelihood and public interests.
2. How to determine CII?
Competent authorities are required to formulate guidelines
The Regulation requires the authorities regulating those key industries and sectors to formulate guidelines, detailing the criteria of determining CII, and file such guidelines with China’s Ministry of Public Security.
The following are the key factors to be considered when formulating the guidelines:
(1) Level of importance of IT network facilities and information systems to those critical and key businesses of the industry or sector;
(2) Level of danger to those critical and key businesses of the industry or sector once IT network facilities and information systems are damaged, disabled or data leaked;
(3) Affiliated impact on other industries or sectors.
Competent regulatory authorities are responsible for determining CII in their industries or sectors pursuant to the guidelines and then reporting the determination results to China’s Ministry of Public Security.
CII operators are obliged to report any change that may affect the CII determination result to the competent regulatory authorities who shall complete redeterminations within 3 months after receiving the reports.
3. What are CII operators’Dos and Don’ts?
In addition to those general duties and obligations under the Cybersecurity Law, a CII operator should perform the following duties and obligations as required by the Regulation:
(1) to adopt, based on cybersecurity protection classification, technical protection measures and other necessary measures to deal with cybersecurity accidents, prevent from cyberattack and unlawful or criminal activities, safeguard secure and stable operation of CII and maintain completeness, confidentiality and availability of data;
(2) to design, construct and use the security protection facilities concurrently with CII’s design, construction and use;
(3) to set up and continuously improve cybersecurity protection system;
(4) to set up a security management department to implement daily security protection;
(5) to conduct security background check on person in charge and key position staff of the security management department;
(6) to conduct, at least once a year, cybersecurity inspection and risk assessment by itself or a third party vendor;
(7) to report to the competent regulatory authorities and the public security authorities any significant cybersecurity accidents or threats;
(8) to purchase security-reliable network products and services on a priority basis and conduct cybersecurity review if the purchase may affect national security;
(9) to conclude security and confidentiality agreement with suppliers of network products and services;
(10) to report to the competent regulatory authorities in the event of merger, division, dissolution and other changes and dispose of CII pursuant to governmental requirements.